[Bro] Protosig question, round 2
James Lay
jlay at slave-tothe-box.net
Fri Nov 4 15:36:38 PDT 2016
Ohhhh...gotcha. We have the reverse problem...it appears that GRE is
decapsulated, and vxlan isn't :)
James
On 2016-11-04 16:32, Zeolla at GMail.com wrote:
> But that just matches on it, which I think was the original tickets
> intent but I missed that. I'm interested in processing the inner
> packet/frame - I thought your initial comments were just your first
> step towards decap. I'm looking to decap and process the inner frame.
> Regardless, sorry, don't mean to hijack.
>
> Jon
>
> On Fri, Nov 4, 2016, 18:09 James Lay <jlay at slave-tothe-box.net> wrote:
>
>> Yea this works:
>>
>> signature protosig_vxlan {
>> ip-proto == udp
>> dst-port == 4789
>> payload /\x08\x00/
>> eval ProtoSig::match
>> }
>>
>> Adjust the payload "\x08" for vlanid. From
>> https://surf.cloudshark.org/captures/b6495a4ea5d5.
>>
>> James
>>
>> On 2016-11-04 15:38, Zeolla at GMail.com wrote:
>>> Right, I spoke to arista directly about that too. On the bro side
>> I
>>> asked via my broala support contract.
>>>
>>> Jon
>>>
>>> On Fri, Nov 4, 2016, 17:19 Azoff, Justin S <jazoff at illinois.edu>
>>> wrote:
>>>
>>>>> On Nov 4, 2016, at 4:59 PM, Zeolla at GMail.com <zeolla at gmail.com>
>>>> wrote:
>>>>>
>>>>> I have the same interests but for vxlan encapsulated traffic.
>>>> Last I heard, no luck doing this with bro. Have to decap
>> upstream.
>>>>
>>>> I don't recall anyone ever asking about vxlan before. I think
>> it's
>>>> a pretty trivial protocol to decode - look for udp 4789, skip 8
>>>> bytes, see if you have what looks like an ethernet frame.
>>>>
>>>> The main issue with that and things like fabric path is the
>>>> encapsulation into a limited number of outer l3 headers can cause
>>>> flow hashing to be useless making it hard to load balance the
>>>> traffic.
>>>>
>>>> --
>>>> - Justin Azoff
>>>
>>> --
>>>
>>> Jon
>>>
>>> Sent from my mobile device
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
>
> Jon
>
> Sent from my mobile device
More information about the Bro
mailing list